Pwn2Own: The perfect antidote to fanboys who say their platform is safe

Despite huge leaps in secure code, nothing is immune when hackers are motivated.

For the past seven years, an annual hacker competition that pays big cash prizes has driven home the point that no Internet-connected software, regardless of who made it, is immune to exploits that surreptitiously install malware on the underlying computer. The first day of this year's Pwn2Own 2014 and the companion contest that ran concurrently stuck with much the same theme, with successful hacks of the Internet Explorer, Firefox, and Safari browsers and Adobe's Flash and Reader applications.

Contestants from Vupen, the France-based firm that sells fully weaponized exploits to governments it deems non-repressive, fetched $400,000 during day one of the two-day event. The haul came from exploits that allowed team members to gain full control over IE, Firefox, Flash, and Reader. Vupen's Firefox attack was one of three hacks that successfully compromised the Mozilla browser, with researchers Mariusz Mlynski and Juri Aedla also taking it down, feats that won them $50,000 each. At the Pwn4Fun contest held at the same CanSecWest security conference, researchers from Google toppled Apple's Safari browser, and their counterparts from HP commandeered IE.

Internet software has come a long way since 2007, when Pwn2Own began. These days, code is more methodically scoured to find buffer overflows, null pointers, and other bugs that inevitably find their way into any complex application. Among the techniques: developers spend thousands or even hundreds of thousands of hours running their programs through "fuzzers," which throw malformed pieces of data at their works in progress to see what makes them crash.

Software engineers have also designed protections such as address space layout randomization, which randomizes the memory locations where downloaded code is loaded; data execution prevention, which prevents downloaded code from being executed; and security sandboxes, which isolate downloaded content in a highly restricted perimeter. The mitigations are designed to lessen the damage hackers can do when they exploit bugs. As a result, exploits that otherwise would have executed any code an attacker picked can only crash the application or cause it to hang.

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure. Yes, there are years in which a given platform emerges unscathed, but the long-term pattern is clear. The lesson: any code that is functional enough to be desirable to Internet users can be hacked to potentially devastating effects. No doubt, the mitigations Microsoft, Google, Apple, Mozilla, and Adobe have added to their products make the attackers' jobs immeasurably harder. But as long as there's a strong enough incentive—say, in the form of financial gain or the ability to acquire valuable national security or industry intelligence—exploits like the ones delivered at Pwn2Own won't just be possible. They'll be inevitable.

Promoted Comments

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

I disagree. Safe is different from secure. Just because your house is in a good neighborhood, or your system of choice is super obscure, does not make it more secure. It simply makes it less likely to be pwned, i.e. safer. An iPhone user with unsafe habits is less safe than a careful user with an Android model, but in general (and if I'm wrong, just go with the theoretical please; I'm not looking to turn this into a flamewar), the iPhone is still more secure than the Android phone.

That said, it's pretty clear iOS is the most secure mobile OS, and Nextstep er OSX may be the most secure desktop OS. it's because of extra layers.

They both start with industrial strength unix operating systems with preemptive multitasking and memory protection.

I say this as a Unix admin - even the most hardened system has unintended functionality that the developers are unaware of. Starting with Unix is not a cure-all, just look at the number of Solaris and BSD patches there are out there.

The safest (connected) systems are those that do as little as possible. Sometimes the more layers you add, the more opportunity there is for errors. There's a reason the Galactica wasn't networked.

Moral of the story is simple, if it is connected to the Internet it can be hacked. Assume your device is un-secure and prepare and implement contingencies accordingly. (You will have less headaches that way)

Moral of the story is simple, if it is connected to the Internet it can be hacked. Assume your device is un-secure and prepare and implement contingencies accordingly. (You will have less headaches that way)

Once I decided to treat stuff like that as an eventuality instead of something that "could happen"? Definitely relaxed more. I'm covered and as ready as I can be, no running around like a chicken with its head cut off.

The bounty scales tell us a lot. I use Firefox as my main browser and I am not happy that the it has the lowest bounty implying it is easiest to compromise, and the fact that it been compromised by 4 separates teams using different exploits according the pwn2own results.

Couldn't many security problems, such as buffer overflows and null pointers, be fixed with "safer" programming languages? I think I read something about it, a while back..

Of course to some degree, but those unsafe operations can also be very useful in creating high performance. I'd guess that all the javascript and browser benchmarking wars has a correlation with how much work has to be done to secure the browsers.

My take on security is it has two parts: systemic and human. Systemic are the installed OS and applications needed for a useful system and the related settings. All will have security issues with only the extent varying. Human security is what good and bad practices the user has when using the system. If either is very poor, the system security is poor. Great software security is trumped by bad practices and insecure software will trump excellent habits. If both the system has good, secure software with intelligent default settings and the user has good security practices the system security is reasonably high.

On the system side, software providers must realize most users are not security experts. Thus the software should use only those systems resources needed to function.

On the human side, users should learn what good practices; such as strong passwords, being careful about opening unknown files, being alert to phishing, not change default settings without knowing what you are doing, etc.

For example, Linux has a reputation for being more secure than Windows. Assuming this is true, one can undo the OS security by one's bad practices and habits. It might longer with Linux for the effects to be seen, but they will be seen. On the opposite side, one can use Windows and with good practices never suffer from a security related problem. In this scenario, the best situation is Linux with good user practices and the worst is Windows with bad practices. I should note that Windows security since at least W7 is good. Also, many of the current, potentially devastating attacks are not attacking the OS or the browser but the JVM, Java applets, and Adobe flash.

Moral of the story is simple, if it is connected to the Internet it can be hacked. Assume your device is un-secure and prepare and implement contingencies accordingly. (You will have less headaches that way)

Moral of the story is simple, if it is connected to the Internet it can be hacked. Assume your device is un-secure and prepare and implement contingencies accordingly. (You will have less headaches that way)

Once I decided to treat stuff like that as an eventuality instead of something that "could happen"? Definitely relaxed more. I'm covered and as ready as I can be, no running around like a chicken with its head cut off.

I say this as a Unix admin - even the most hardened system has unintended functionality that the developers are unaware of. Starting with Unix is not a cure-all, just look at the number of Solaris and BSD patches there are out there.

The safest (connected) systems are those that do as little as possible. Sometimes the more layers you add, the more opportunity there is for errors. There's a reason the Galactica wasn't networked.

I started my life in unix admin world with BSD 4.1. I read every line of code in the OS. Which is the main reason I don't use bsd today. The attitude of the developers being the other. As to Solaris? Seriously, why would that even be on the list of an OS one might trust. The only patch for Solaris should be to install a proper OS.

You spelled "least" wrong. OSX is the least secure (by a large but shrinking distance) major desktop OS (eg: Windows/OSX/Linux).

Splitting Linux and Windows is harder, but if security was a huge priority for me, I'd be running Linux for sure. Not because it's inherently more secure (although it may be), but because hacking desktop distros of Linux is a lot less valuable to folks than hacking Windows.

A "safe" machine is operated by an educated user according to best practises, is fully up to date with vendor patches and takes no risks.

A "secure" machine is powered off, under armed guard in a basement to which there is a dual key arrangement for entry and zero connectivity to the outside world. It contains nothing of interest to any potential aggressor.

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

I disagree. Safe is different from secure. Just because your house is in a good neighborhood, or your system of choice is super obscure, does not make it more secure. It simply makes it less likely to be pwned, i.e. safer. An idiot with an iPhone is less safe than a careful user with an Android model, but in general (and if I'm wrong, just go with the theoretical please; I'm not looking to turn this into a flamewar), the iPhone is still more secure than the Android phone.

it wouldnt be much of a flamewar. Apple is more secure then Android for one simple fact. Apple is able to send out updates to its phones. Android on the otherhand, is limited with its updates, as they are pushed out from the phone carrier, and are few and far between.

The attacks here are through applications, though. Android keeps Chrome up to date just fine no matter who your carrier is. So I don't think it's that simple.

The bounty scales tell us a lot. I use Firefox as my main browser and I am not happy that the it has the lowest bounty implying it is easiest to compromise, and the fact that it been compromised by 4 separates teams using different exploits according the pwn2own results.

Do any of the exploits work without any plugins (ie: no flash/reader) installed?

I'm wondering the same thing; I mean, should we even reward Flash and Acrobat exploits? They're pretty much the default entry point to every computer system these days, it's not even funny anymore. Still, it does highlight a continuing problem with the effectiveness of plugin restrictions if they're still being used to break otherwise secure systems.

I don't use Acrobat Reader (since Apple's Preview does the job just fine), and I use click2plugin on Safari so Flash content only loads when I want it to, and have Flash disabled on Google Chrome (since I mostly use it as a convenient browser for my secondary screen for looking stuff up).

I would love to hear about / see a contest for the Internet of Things.

It seems to be on the news a lot and the general public never hear about how fallible the security in these devices is. A pwn2own contest for fridges, TVs, and consumer routers ect would help to get the word out.

and the equivalent of doing that is getting someone to download a program... and run it. I am assuming that this pwn2fun contest means you can't download a program to effect the control of the computer in question..

TL;DR... even if this doesn't apply to the article it's still a great reminder...

The bounty scales tell us a lot. I use Firefox as my main browser and I am not happy that the it has the lowest bounty implying it is easiest to compromise, and the fact that it been compromised by 4 separates teams using different exploits according the pwn2own results.

Lowest bounty on FF only means that Mozilla Foundation is a none profit org which doesn't have deep pockets as Google, Microsoft, and Apple

The bounty scales tell us a lot. I use Firefox as my main browser and I am not happy that the it has the lowest bounty implying it is easiest to compromise, and the fact that it been compromised by 4 separates teams using different exploits according the pwn2own results.

Lowest bounty on FF only means that Mozilla Foundation is a none profit org which doesn't have deep pockets as Google, Microsoft, and Apple

No it doesn't. It means that they judged Firefox easier to crack and so less worthy of a big prize. HP funds all the prizes; Mozilla's non-profit status never enters into consideration.

It's not surprising that they judge Firefox in this way. It has minimal sandboxing (only plugins are isolated), since we're still waiting for Electrolysis to land.

That said, it's pretty clear iOS is the most secure mobile OS, and Nextstep er OSX may be the most secure desktop OS. it's because of extra layers.

I believe a number of these participants have actually explicitly said it's harder to hack Windows than OSX.

Example:

Quote:

With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have.

It's clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that's only half the equation. The other half is exploiting it. There's almost no hurdle to jump through on Mac OS X.

Yeah, a five year old quote from 2009. Mac OS X has had a few layers of security added on and improved since then.

Further to that let’s look at a more timely quote from one of the "current" researchers that is responsible for yesterday’s exploit of Mac OS X.

According to Liang Chen of Keen Team,

“For Apple, the OS is regarded as very safe and has a very good security architecture,” Chen said. “Even if you have a vulnerability, it’s very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems.”

I'm a bit of an OpenBSD "fanboy," and while it's not perfect (nothing is), I'd say it's at least safe enough by default. It makes a very good and exceedingly secure router/firewall and a pretty darn good server, too. Depending on how big of a target you are, I think it's reasonable to say that a well-administered OpenBSD system is safe, yes.

Of course, that's the base system. Put a web browser on it, for instance, and you're adding another potential path for exploitation, as shown here (though with a well-designed operating system, a browser exploit won't compromise the entire system). This means that for your typical user, it's immediately going to be slightly less secure. As always, it's about managing your risks appropriately for the role the system's going to be in. How relaxed should security be for your users to ensure decent usability? You definitely don't want your router compromised, but as long as you make sure your network handles end users as insecure to begin with, it might be fine to aim for "pretty good" instead of "nearly perfect."

Security's a complex issue and it's not always all or nothing. Certainly, there's no panacea, but that doesn't make the pursuit of "darn good" security a bad thing. But yes, claiming immunity to everything is silly.

I have an idea! Let's welcome women into infosec by decorating a security story with a photo of some ludicrous dudebros!

1. "Women" aren't a single, homogenous group, and you have no evidence that a non-trivial number of them would be offput by a silly picture posted in a security article.2. If "women" have a problem with it, they're perfectly capable of voicing their concerns on an individual basis. Women are not small children that need to be protected at every possible juncture.3. If you in particular have a problem with it, you should probably contact the editor rather than trying to derail the comments section.

It's not surprising that they judge Firefox in this way. It has minimal sandboxing (only plugins are isolated), since we're still waiting for Electrolysis to land.

What is it with this sandboxing-fetish as of lately?Read the hacks of the other programs: sandbox-bypass, sandbox-bypass, sandbox-escape. So where's the benefit?In New-Ars-Speak: Such sandbox, many hole, wow.

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

I disagree. Safe is different from secure. Just because your house is in a good neighborhood, or your system of choice is super obscure, does not make it more secure. It simply makes it less likely to be pwned, i.e. safer. An idiot with an iPhone is less safe than a careful user with an Android model, but in general (and if I'm wrong, just go with the theoretical please; I'm not looking to turn this into a flamewar), the iPhone is still more secure than the Android phone.

it wouldnt be much of a flamewar. Apple is more secure then Android for one simple fact. Apple is able to send out updates to its phones. Android on the otherhand, is limited with its updates, as they are pushed out from the phone carrier, and are few and far between.

Your claimed one simple fact is false in its implication. It helps immensely that Apple is able to update every iDevice immediately, but it is not the only or even biggest reason iOS is more secure than Android. As Charlie Miller the famed Apple hacker once said: iOS is more secure than Android because Android was set up from the beginning to run anything (this doesn't exclude malware) so security is up to a very diligent user. iOS was setup to run only what has been vetted by Apple through their walled garden, so clueless users or users who have better things to do with their time cannot download a dangerous piece of software. This is a very secure (not perfect) way to run a mobile device, much more secure than the anything goes world of Android.

If you think about it this is the whole reason that IT departments are so hot to control the end user experience. Because end users either aren't diligent, aren't knowledgeable enough, or don't take the time, or don't care enough. Thus to protect the company, every company needed an IT department and control over the companies computing experience. Apple has decided to be your IT administrator, and I think they have succeeded in being much more responsive and less iron fisted that a typical IT department.